Change interface IP

[scoobie]

Hi all,

I urgently need to change the IP of my external interface of my checkpoint solaris box (is an enforecement module, centrally managed) as the connection it was on has been disconnected, so have a new connection with a new IP range.

What do I need to do to change the ip, and reset sic on this? (I'm completely new to solaris :( )

Thanks,

[dsb.nepo]

A view questions about your setup.

Since it is central managed, i hope you also have central license.
Which version of CP and also Solaris?
If you look into smart dashboard which ip for the gw is used there?
The internal or the external IP, if internal one no sic reset is needet.

Does the box do also NAT? then you have to change every object that which is natted behind the old IP space in the rulebase!

First off all make sure you have direct access (serial/keyboard) to the machine.
Create a dump/copy of all your routing tables and maybe static arp entries.

Code:

netstat -rn | tee ~/save_routingtable
arp -an | tee ~/save_arp

also do not forget the follwing files
/etc/hosts
/etc/hostname.???
/etc/defaultrouter
/etc/netmasks
$FWDIR/conf/local.arp

Do you have arp and routing in a startup script? then create a copy and also make new files with the right arp routing (do not replace with the old with the new one now)

If you have identified all objects routing ... and also have the new setup on a paper (important, never trust your mind if something goes not well since you are new to this OS)

• If License is local attached and bind to the external IP you have to generate a new on first.
• If license is at the central management revoke it from the GW (i think this will also reset sic but not sure)

for a sic rest do the following at NG version

Code:

cpconfig

Configuration Options:
----------------------
(1)  Licenses
(2)  SNMP Extension
(3)  PKCS#11 Token
(4)  Random Pool
(5)  Secure Internal Communication
(6)  VPNx
(7)  Enable cluster membership for this gateway
(8)  Automatic start of Check Point Products

choose option 1 to see the licenses note the ip

Code:

Host         Expiration  Signature  Features
172.22.1.18  never       ......     ......

choose option 5 for the sic reset and later to setup the new trust

Now we can start to prepare the new IP setup.
We start at the host to see if everything we do is OK.

Code:

cpstop
ifconfig qfe0  (if this is the interface, mabe a hme?) inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx
then check with ifconfig -a
route add default xxx.xxx.xxx.xxx ( if you got an error do a route delete default before)

Now try to ping your upstream router and check if you see the router mac with arp -an
everything OK, change the interface /etc/hostname.qfeN or hmeN and also the entrieys in /etc/defaultrouter /etc/hosts /etc/netmasks

Now you can try one of the first arp entry for test
Note the Mac is from your public interface in this notation: 8:0:12:b7:31:7a and the pub keyword is not optional!

Code:

arp -s PublicIP  MAC pub

check again with arp -an

now inject all arps and routing in the following scema.

Code:

#arp -s NewPubOpbjectIP MAC.publicIF pub
#/usr/sbin/route add host NewPubOpbjectIP NatIP

if this works and you have scripts for this it is time to bring them into the game (modified arp and routing scripts)
Replace the original one with the new one and fire the scripts up
check again
now check all the scripts you have to save if you have to modify something here, the do it now (but keep a copy).
If you have done everything it is save to reboot to see if routing and arp works. (only if you have direct not remote access like ssh)

If everything works well you can recreate sic install the new licence and the modified rulebase and the do all checks ...

Not discribed here changes for remote clients ...

Hope this helps, but no guaranty maybe I forgot something or if the order is not 100 correct

good luck

[scoobie]

Excellent, thankyou :-)